Banking on resilience: Bank of England proposes new rules for financial sector cyber resilience

In April this year the Bank of England (the Bank) shared a series of proposals focused on outsourcing and third-party risk management within financial market infrastructure firms (FMIs).

It follows publication of its operational resilience policy last year, ‘designed to improve the operational resilience of FMIs and protect the wider financial sector’. This noted that a major priority for the Bank, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) was to create a robust regulatory framework to ‘promote operational resilience’ amongst FMIs.

Taken together, it demonstrates the Bank’s continued drive towards operational resilience amongst financial services providers, given increased reliance on third-party technology and software.

The Bank concludes in its guidelines that this reliance, in particular for cloud services, is enhancing the risk landscape and requires a clear regulatory response.

The proposals are therefore intended to:

• Facilitate greater resilience and adoption of new technologies, as set out in its Future of Finance report
• Set expectations and requirements in relation to outsourcing and third-party risk management in FMIs
• Sit alongside the Bank’s Supervisory Statements (SS2/21) on FMI operational resilience

Under the proposed new rules, firms - Central Counterparties (CCPs), Central Securities Depositaries (CSDs), Recognised Payment System Operators (RPSOs) and Specified Service Providers (SSPs) - would be required to develop, maintain and test business continuity plans and exit strategies for critical business services provided or supported by third parties. The new regulations advice includes actively considering measures that can ensure service continuity following disruption or a stressed exit.

Of particular note within the guidelines is how the Bank highlights the importance of contractual and escrow arrangements between customer and third-party providers. Software escrow agreements are one of the most effective, proportionate and cost-efficient measures to managing third-party technology risks with cloud, software and technology providers. By offering a minimum level of resilience through legal and technical means, it ensures business continuity while a service is being restored or alternative options are being implemented.

Leading NCC Group’s response to the Bank’s proposals, Wayne Scott, Regulatory Compliance Solutions Lead at NCC Group, shared:

"The Bank of England should be applauded for its continued leadership in setting high outsourcing standards for the financial services industry. As it finalises its supervisory statements and takes further steps to strengthen the resilience of institutions, against the backdrop of a fast-evolving risk landscape, it must focus on three areas.

“The first is to ensure that clear ‘resilience by design’ measures are embedded and encouraged within its guidance. Cyber resiliency, wherever possible, should be inbuilt within the services, software and technology in question, to best minimise and manage risks. The Bank can play a crucial role in advocating for this approach within the sector and help promote the virtues of software escrow to other UK regulators who are currently reviewing their operational resilience regulation.

“Any guidelines relating to outsourcing and third-party risk management should also champion the power of information sharing. Greater information sharing could improve a shared and contextualised understanding of concentration risk. This is critical, given that the threats all organisations face – not just financial – are continually shifting in complexity, volume, source and severity.

“Finally, the Bank must consider its standing on the global stage. There is a worldwide move towards true operational resilience – take the Parliament of Singapore’s endowment of new powers to help its Monetary Authority enforce risk management earlier this year as an example. The Bank is helping to set standards internationally and has an important role to play in shaping and promoting consistent best practice within operational resilience guidance, globally.”